“The failure of utilities to heed the advice of their own industry-controlled reliability organization raises serious questions about whether the grid will be adequately protected by a voluntary approach to cybersecurity,” said Waxman at a House Energy and Commerce Committee hearing.
President Obama’s cybersecurity order tasked the National Institute of Standards and Technology (NIST) with creating incentives for critical infrastructure to protect itself against cyber attacks.
“A voluntary approach to cybersecurity might make sense for some sectors, but experience shows that it cannot be relied upon to protect the electric grid,” he said.
Several Republicans argued against a mandatory approach, saying mandatory rules could become quickly outdated.
“One of the things we know is that cybersecurity is uniquely ill-suited for federal regulation. Rapid changes in technology guarantee the failure of static, prescriptive approaches,” said Rep. Marsha Blackburn (R-Tenn.).
Committee Chairman Fred Upton (R-MI) voiced skepticism of a “top-down, command-and-control” regulatory approach that would allow the Department of Homeland Security or any other agency to regulate the private sector.
“I believe that the best approach to improve cybersecurity is for existing regulators to work with industry stakeholders, and for robust information sharing between government and stakeholders,” said Upton.
The U.S. government reportedly created Stuxnet in partnership with Israel to target Iranian nuclear facilities, but the worm escaped onto the public Internet.